BridgeToAgent
Get the kit — $49
Legal

Privacy Policy

Last updated: 2026-05-06

This Privacy Policy explains what personal data BridgeToAgent (“we”, “us”) collects, why we collect it, how we use it, and the rights you have over it. We are committed to handling personal data lawfully, transparently, and with as little collection as possible.

This policy is written to comply with the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, and equivalent regimes such as the UK GDPR.

1. Data controller

For the personal data described here, BridgeToAgent acts as the data controller. Contact: privacy@bridgetoagent.com.

2. What we collect

2.1 Information you provide

  • Site URL. The URL you submit on the home page so that we can crawl it on your behalf.
  • Payment details. Card and billing information is entered directly into Stripe’s checkout surface. We never see or store full card numbers. We receive only the metadata Stripe returns (customer email, payment status, the last 4 digits of the card, country).
  • Email correspondence. If you contact support, we keep the messages and your email address to respond.

2.2 Email drip subscription (optional)

If you submit your email address on the audit result panel, we treat that submission as your explicit, informed consent (GDPR Art. 6(1)(a)) to receive a short follow-up email sequence about your AI-readiness audit and the kit we sell. We collect:

  • Your email address. Used solely to send the audit report and four follow-up emails over the next ten days, then a single optional discount mail at day ten. Never sold, never rented, never shared with third parties outside the sub-processors disclosed in section 6.
  • The URL you audited. Already submitted as part of the audit; the drip subscription stores it so the follow-up emails can reference the specific site.
  • Your audit score + caption. Snapshot at the moment of signup so the first follow-up email can recap exactly what you saw.
  • Consent record. Timestamp, IP address, and User-Agent at the moment you submitted the form. Required under GDPR Art. 7 to demonstrate that consent was freely given. Retained for the lifetime of the subscriber record.

Storage location: Upstash (EU region), encrypted at rest. Retention: 60 days from signup, then automatic deletion. Earlier if you unsubscribe and we then erase the record on request. Sub-processor: Resend (sender) — see section 6.

You can unsubscribe at any time via the one-click link in the footer of every email, or by emailing hello@bridgetoagent.com. Unsubscribing halts the sequence immediately. To request full erasure of your subscriber record (beyond the unsubscribe flag), email the same address — we will complete the deletion within 30 days per GDPR Art. 17.

2.3 Information collected automatically

  • Server logs. Standard request logs (IP address, user agent, timestamp, requested path, response status). Used for security, debugging, and rate limiting. Rotated regularly.
  • Analytics (only after explicit opt-in via the cookie banner). When granted, Google Analytics / Google Tag Manager records anonymized page-view and interaction events.
  • Marketing pixel (only after explicit opt-in via the cookie banner). When granted, the Meta Pixel records the same anonymized page-view event for ad measurement.

2.4 Google Ads Enhanced Conversions

When you complete a purchase and have granted marketing consent via the cookie banner, we use Google Ads Enhanced Conversions to measure the effectiveness of our ad campaigns. Specifically:

  • We collect your email address during the Stripe checkout process (lawful basis: contract — it is required to deliver your kit and receipt).
  • On the post-purchase confirmation page, your email address is passed to our Google Tag Manager container, which securely hashes it (SHA-256) in your browser before any data is transmitted to Google. Google never receives your email in plain text.
  • Google uses the hashed value solely to match the conversion to a prior ad click on a logged-in Google account, in order to attribute campaign performance. The match is performed on hashed data; non-matching hashes are discarded.
  • This data is processed in accordance with Google’s Enhanced Conversions privacy protocols and the data-processing terms agreed between us and Google.
  • If you decline marketing consent in the cookie banner, no Enhanced Conversions data is sent to Google.

3. Cookies & consent

On your first visit, we display a cookie-consent banner with three categories:

  • Strictly necessary — locked on. Required for the site to function (consent state itself, secure session for checkout). No identifiers are placed for tracking purposes.
  • Analytics — opt-in. Loads Google Tag Manager / GA4 if accepted.
  • Marketing — opt-in. Loads the Meta Pixel if accepted.

Your choice is stored in your browser’s localStorage under the key bta_consent_v1. You can change or revoke your choice at any time by clearing site data in your browser.

4. How we use your data

  • To deliver the kit you paid for (lawful basis: contract).
  • To process payments and prevent fraud (lawful basis: contract, legitimate interest).
  • To respond to support requests (lawful basis: legitimate interest).
  • To measure traffic and improve the product, only if you opted in (lawful basis: consent).

5. How long we keep it

  • Site URL & generated kit. Held in a short-lived cache for at most 6 hours so you can retry generation if it fails. Generated ZIPs expire from the download cache after 1 hour.
  • Email drip subscription. 60 days from signup, then automatic deletion. Unsubscribe immediately halts further sends but keeps the suppression flag so we don’t inadvertently re-add you. Full erasure on request — see section 8.
  • Payment metadata. Retained by Stripe per their own policy. We retain receipts as long as required by Swedish accounting law (typically 7 years).
  • Server logs. Up to 30 days.
  • Analytics events. Per the retention configured in our Google Analytics property (default 14 months).

6. Sub-processors

The following processors handle data on our behalf. Each is bound by contractual data-protection terms.

  • Stripe, Inc. — payments.
  • Firecrawl — server-side crawling of the URL you submit. Firecrawl receives the URL only.
  • Anthropic, PBC — generates the kit content. The crawled markdown of the URL you submit is sent to Anthropic. Anthropic does not train models on this input.
  • Vercel, Inc. — application hosting and edge delivery.
  • Resend, Inc. — delivers the drip email sequence to opt-in subscribers. Receives only the recipient’s email address, the rendered message body, and standard delivery metadata. Does not train any model on this content.
  • Upstash, Inc. — schedules the delayed follow-up emails (QStash) and stores the subscriber record (Redis). Subscriber data is held in the EU region, encrypted at rest.
  • Google LLC — analytics and Google Ads Enhanced Conversions (only if you opted in to marketing consent). Email addresses sent for Enhanced Conversions are SHA-256 hashed in your browser before transmission.
  • Meta Platforms, Inc. — marketing pixel (only if you opted in).

7. International transfers

Some of our processors are headquartered in the United States. Where transfers leave the EEA, they are protected by the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

8. Your rights under GDPR

You have the right to access, correct, port, restrict the processing of, or delete the personal data we hold about you. You also have the right to withdraw consent at any time and to lodge a complaint with your local data protection authority (in Sweden: IMY).

To exercise any of these rights, email privacy@bridgetoagent.com. We will respond within 30 days.

9. Security

All traffic is served over HTTPS. Secrets (API keys, signing keys) are held in environment variables and never reach the client. Generation tokens are HMAC-signed and single-use. We follow the principle of least privilege for third-party integrations.

10. Changes to this policy

We may update this policy. Material changes will be reflected by the “Last updated” date at the top. We encourage you to revisit periodically.

11. Contact

Privacy enquiries: privacy@bridgetoagent.com. General contact: hello@bridgetoagent.com.